Home Explore Help
Sign In
ded
/
cpp-httplib
mirror of https://github.com/yhirose/cpp-httplib.git
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

Update README

yhirose 1 month ago
parent
ae64a5ee90
commit
63ede29db1
1 changed files with 10 additions and 1 deletions
Unified View Show Diff Stats
  1. 10 1
      README.md

+ 10 - 1
README.md
View File 

@@ -537,8 +537,17 @@ svr.Post("/multipart", [&](const Request& req, Response& res) {
 
       std::cout << "Header: " << header.first << " = " << header.second << std::endl;
 
       std::cout << "Header: " << header.first << " = " << header.second << std::endl;
 
     }
 
     }
 
 
 
+    // IMPORTANT: file.filename is an untrusted value from the client.
 
+    // Always extract only the basename to prevent path traversal attacks.
 
+    auto safe_name = std::filesystem::path(file.filename).filename();
 
+    if (safe_name.empty() || safe_name == "." || safe_name == "..") {
 
+      res.status = StatusCode::BadRequest_400;
 
+      res.set_content("Invalid filename", "text/plain");
 
+      return;
 
+    }
 
+
 
     // Save to disk
 
     // Save to disk
 
-    std::ofstream ofs(file.filename, std::ios::binary);
 
+    std::ofstream ofs(upload_dir / safe_name, std::ios::binary);
 
     ofs << file.content;
 
     ofs << file.content;
 
   }
 
   }